1. Technical Field
The present invention is directed to a system and method for representing multiple security groups as a single data object. More specifically, the present invention is directed to a mechanism for representing and authenticating a plurality of security groups using a complex group value and a mask value.
2. Description of Related Art
In most large scale computing systems users and resources are typically arranged in groups in order to manage system security. For example, access control lists may be provided for managing accesses to resources by other resources and/or users of the computing system. An access control list is a set of data associated with a file, directory or other resource that defines the permissions that users, groups, processes or devices have for accessing it. For example, a group may be established for “administrators” and a user's identifier may be added to this group to designate the user as an “administrator” If a resource's access control list indicates that only “administrators” may be provided with access to the resource, then the user whose identifier is part of the “administrators” group will be able to access this resource.
One problem with many large computer systems is the proliferation of group identifiers in the computer system. When a user or resource requests access to another resource, the authentication must traverse, on average, one half of the entire list of groups to identify the group associated with the user or resource requesting access and then determine if access permission is present. That is, as the number of groups used in the computer system increases, the time required to perform authorization processing increases. This causes a decrease in the performance of the computer system.
Thus, it would be beneficial to have a system and method for representing groups of users/resources in a manner that does not require traversal of a large list of group identifiers to determine if access to a resource is permitted.